The need to protect sensitive information

In the digital age where it is increasingly easy for a departing worker to take valuable company data with them, it is imperative that workplaces don’t leave themselves vulnerable.

The employment relationship does not always end amicably but for the most part, employers and employees are usually able to part company on civilised terms, if not friendly ones.

One exception, however, is where the employee sees an opportunity to make themselves a more attractive prospect for future employers and attempts to jump start their new career by taking sensitive information with them. In the digital age, there’s nothing simpler than emailing key documents to a personal account, or inserting a USB key into the side of the computer. The act can take seconds, but the effect on a previous employer can be very serious and far-reaching.

So what can an employer do to protect themselves in this situation?

Usefully, the courts have demonstrated on numerous occasions that they are not prepared to allow an employee to get off scot-free when this happens. If necessary, the courts will make orders directing an employee to return company property/sensitive data to the old employer, to refrain from using that data in any future job and, if necessary, to prevent a future employer from making use of the data in question.

In certain organisations, and for certain roles, this can be critically important. There are very few businesses that would be pleased with a situation in which a former employee could leave the building with sensitive/confidential information (customer lists, potential business targets, hourly rates, pricing information and other material that would give a competitor an advantage).

There are a number of rudimentary steps that can be taken by employers to greatly increase the prospect of a successful application to the courts in these circumstances. The law is sufficiently developed to the make the mere threat of an application enough in the majority of cases in my experience.

The courts will almost always imply an obligation of fidelity/confidentiality into an employment relationship but precision is key and contracts of employment for high-level/sensitive roles should be very explicit in terms of:

the obligations incumbent upon employees and

the restrictions when they leave employment.

In tandem with this, employers can usefully maintain policies setting out rules on what employees can (and cannot) do with sensitive/confidential data.

The employment contract is the most important document to get right. There should be a clear prohibition on disclosing confidential information post-employment.

This should be drafted as widely as possible to eradicate any possibility that an employee is permitted to share confidential information either during the relationship, or after it.

It is insufficient to refer to generally to terms like “confidential information”. The contract should contain a carefully worded definition specific to the business that explains in easily understandable terms what “confidential information” means.

Coupled with this, the contract should contain provisions strictly prohibiting employees from copying or removing confidential information in the course of employment except where it is necessary for the purposes of the job. As well as that, the contract should make a point of noting that on termination, all confidential information must either be returned to the company or deleted from electronic devices.

Given advances in technology, it is all too easy for employees to remove confidential/sensitive information under the radar. Employers may not become aware of the fact that the information has been removed for some time and in certain cases, only after the employee has left. An employer in that situation will want to move quickly to safeguard their position – and an employer who has taken simple precautionary steps of the kind set out in the present article will be at an immediate advantage.

On this, an employer is entitled to take certain steps to clarify whether an employee has removed data. Obviously nowadays, it’s quite easy to tell if an email has been sent or a USB key plugged into the side of a computer (and what was copied to it before it was plugged out again).

While employers are generally constrained in monitoring employee emails/accessing their computers without the employee’s knowledge, there are always exceptions. Data protection rules mean that employers can’t monitor indiscriminately – but they are allowed to do so if there are objective and necessary reasons. If an employer has reasonable cause to believe that an employee has removed sensitive data, for example, they can investigate – and that investigation can include accessing a (business) email account to see what has been sent from that account.

Another rudimentary step that employers can easily take is ensure that its Data Protection policy reserves the right to inspect an email account if the employer believes rules have been breached. If you put an employee on notice of the fact that you may do this, their scope to complain is reduced when you follow through.

There is really no excuse for taking some time at the beginning of the relationship to think about potential issues that might arise if the employee seeks to move on to better things. A stitch in time save nine, as they say.